Using SRP with AppLocker to block more scripts

Since AppLocker only cares about .ps1, .bat, .cmd, .vbs, and .js scripts, I thought I might use SRP to disallow other scripts to be run outside of %WinDir% and %ProgramFiles% to make life more of a PITA for users

Already removed stuff covered by AppLocker from Designated File Types plus a bunch of others, such as MS Access/Project files, LNK, CHM... So, what would be a good suffix list for this? Ideas?

When Applocker is active, SRP is disabled, so not sure why you'd want to remove anything from SRP, and if I am not mistaken that feature only blocks by file extension which is easy to circumvent and btw doesn't work if a script is assigned to open by a third-party app.

if I am not mistaken that feature only blocks by file extension which is easy to circumvent and btw doesn't work if a script is assigned to open by a third-party app.

Click to expand...

Yes, by extension. Perfectly enough since their browsing is already restricted to intranet and couple of selected sites.

Why I wanted to do this? Because the users here are complete morons. (Their computer literacy pretty much reflects their salary, ugh... Good that I spend just a couple of hours a week in this company from hell.) Would prefer to not get into more details, suffice to say that recently one of them wiped pretty much his entire user profile by clicking on a "picture" which was a script. It was a "joke" by one of his fellow workers. Similar incidents happen couple of times every month and am I tired of restoring the backups.

Well, since both cannot be applied at the same time I will have to look at alternative GPO stuff to do the same, thread pretty much closed. Or I will just send them to hell and tell them to find another backup-restore monkey

Wanted to avoid it since there is one big office OU with the same AppLocker policy... which includes also normal people with much less restricted internet access. AppLocker obviously preferred there. Also a whole lot better when forcing up-to-date versions of applications etc. Also at least one less policy and OU to manage. Eh well, sigh...

Honestly these morons would be best served with a Linux live CD if a couple of the core apps there did not require Windows.